TrueWill
commented
6 years ago Good idea, @cjnickel !
Closed cjnickel closed 6 years ago
TrueWill
commented
6 years ago Good idea, @cjnickel !
aoathout
commented
6 years ago Why would we care if client_id and client_secret are stored in the repo? I get the point of the DB passwords, but client_id and client_secret aren't really that sensitive, they don't identify a user, etc. and can be regenerated at any time
TrueWill
commented
6 years ago @cjnickel I see @aoathout 's point - we're not using the "secret" for authentication/authorization to the actual back-end system. What are your thoughts?
TrueWill
commented
6 years ago Please review https://github.com/UFGInsurance/mulint/pull/2 and see what you think - it does not check everything, but it's one step towards this.
cjnickel
commented
6 years ago @TrueWill @aoathout - I was referring to the client_id and client_secret mostly for the UFG Organizations key for anypoint api autodiscovery on cloudhub. Can we regenerate the organization id/secret at will? I don't think I have the ability to do that. It doesn't identify a user and isn't authentication per-se so I'm ok with leave it out if you guys are.
TrueWill
commented
6 years ago Closing based on https://github.com/UFGInsurance/mulint/pull/2 - @cjnickel if there are additional checks you'd like we can reopen.
We're trying to avoid committing sensitive information like credentials or tokens to the repo. Can we look at adding a rule that checks for a couple of the common ones?
Examples